External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-04-05 10:09:20 -02:30
Code Issues Packages Projects Releases Wiki Activity

Updates to permissions checks (and tests), add logging around permission checks, permission-related fixes to support browsable API, work in progress on job templates API, added default logging settings.

Browse Source
This commit is contained in:
Chris Church
2013-05-01 14:10:42 -04:00
parent b6e7d964c2
commit ef92fe3960
11 changed files with 320 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
lib/main/tests/jobs.py
View File

@@ -16,18 +16,23 @@
import datetime
import json
from django.contrib.auth.models import User as DjangoUser
import django.test
from django.core.urlresolvers import reverse
from django.test.client import Client
from lib.main.models import *
from lib.main.tests.base import BaseTest
class JobsTest(BaseTest):
__all__ = ['JobTemplateTest', 'JobTest']
def collection(self):
# not really used
return '/api/v1/job_templates/'
TEST_PLAYBOOK = '''- hosts: mygroup
gather_facts: false
tasks:
- name: woohoo
command: test 1 = 1
'''
class BaseJobTest(BaseTest):
''''''
def get_other2_credentials(self):
return ('other2', 'other2')
@@ -36,45 +41,66 @@ class JobsTest(BaseTest):
return ('nobody', 'nobody')
def setUp(self):
super(JobsTest, self).setUp()
super(BaseJobTest, self).setUp()
# Users
self.setup_users()
self.other2_django_user = self.make_user('other2', 'other2')
self.nobody_django_user = self.make_user('nobody', 'nobody')
self.other2_django_user = User.objects.create(username='other2')
self.other2_django_user.set_password('other2')
self.other2_django_user.save()
self.nobody_django_user = User.objects.create(username='nobody')
self.nobody_django_user.set_password('nobody')
self.nobody_django_user.save()
# Organization
self.organization = Organization.objects.create(
name = 'engineering',
created_by = self.normal_django_user
)
self.inventory = Inventory.objects.create(
name = 'prod',
organization = self.organization,
created_by = self.normal_django_user
name='engineering',
created_by=self.normal_django_user,
)
self.organization.admins.add(self.normal_django_user)
self.organization.users.add(self.normal_django_user)
self.organization.users.add(self.other_django_user)
self.organization.users.add(self.other2_django_user)
self.group_a = Group.objects.create(
name = 'group1',
inventory = self.inventory,
created_by = self.normal_django_user
# Team
self.team = self.organization.teams.create(
name='Tigger',
created_by=self.normal_django_user,
)
self.team = Team.objects.create(
name = 'Tigger',
created_by = self.normal_django_user
)
self.team.users.add(self.other_django_user)
self.team.users.add(self.other2_django_user)
# Project
self.project = self.make_projects(self.normal_django_user, 1,
playbook_content='')[0]
playbook_content=TEST_PLAYBOOK)[0]
self.organization.projects.add(self.project)
# Inventory
self.inventory = self.organization.inventories.create(
name = 'prod',
created_by = self.normal_django_user,
)
self.group_a = self.inventory.groups.create(
name = 'group1',
created_by = self.normal_django_user
)
self.host_a = self.inventory.hosts.create(
name = '127.0.0.1',
created_by = self.normal_django_user
)
self.host_b = self.inventory.hosts.create(
name = '127.0.0.2',
created_by = self.normal_django_user
)
self.group_a.hosts.add(self.host_a)
self.group_a.hosts.add(self.host_b)
# Credentials
self.user_credential = self.other_django_user.credentials.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
)
self.team_credential = self.team.credentials.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
)
# other django user is on the project team and can deploy
self.permission1 = Permission.objects.create(
inventory = self.inventory,
@@ -82,8 +108,7 @@ class JobsTest(BaseTest):
team = self.team,
permission_type = PERM_INVENTORY_DEPLOY,
created_by = self.normal_django_user
)
)
# individual permission granted to other2 user, can run check mode
self.permission2 = Permission.objects.create(
inventory = self.inventory,
@@ -93,58 +118,105 @@ class JobsTest(BaseTest):
created_by = self.normal_django_user
)
self.host_a = Host.objects.create(
name = '127.0.0.1',
inventory = self.inventory,
created_by = self.normal_django_user
)
self.host_b = Host.objects.create(
name = '127.0.0.2',
inventory = self.inventory,
created_by = self.normal_django_user
)
self.group_a.hosts.add(self.host_a)
self.group_a.hosts.add(self.host_b)
self.group_a.save()
self.credential = Credential.objects.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
user = self.other_django_user
)
self.credential2 = Credential.objects.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
team = self.team,
)
self.organization.projects.add(self.project)
self.organization.admins.add(self.normal_django_user)
self.organization.users.add(self.normal_django_user)
self.organization.save()
self.template1 = JobTemplate.objects.create(
self.job_template1 = JobTemplate.objects.create(
name = 'job-run',
job_type = 'run',
inventory = self.inventory,
credential = self.credential,
credential = self.user_credential,
project = self.project,
created_by = self.normal_django_user,
)
self.template2 = JobTemplate.objects.create(
self.job_template2 = JobTemplate.objects.create(
name = 'job-check',
job_type = 'check',
inventory = self.inventory,
credential = self.credential,
credential = self.team_credential,
project = self.project,
created_by = self.normal_django_user,
)
class JobTemplateTest(BaseJobTest):
def setUp(self):
super(JobTemplateTest, self).setUp()
def test_job_template_list(self):
url = reverse('main:job_templates_list')
response = self.get(url, expect=401)
with self.current_user(self.normal_django_user):
response = self.get(url, expect=200)
self.assertTrue(response['count'], JobTemplate.objects.count())
# FIXME: Test that user can only see job templates from own organization.
# org admin can add job template
data = dict(
name = 'job-foo',
credential = self.user_credential.pk,
inventory = self.inventory.pk,
project = self.project.pk,
job_type = PERM_INVENTORY_DEPLOY,
)
with self.current_user(self.normal_django_user):
response = self.post(url, data, expect=201)
detail_url = reverse('main:job_templates_detail',
args=(response['id'],))
self.assertEquals(response['url'], detail_url)
# other_django_user is on a team that can deploy, so can create both
# deploy and check type job templates
with self.current_user(self.other_django_user):
data['name'] = 'job-foo2'
response = self.post(url, data, expect=201)
data['name'] = 'job-foo3'
data['job_type'] = PERM_INVENTORY_CHECK
response = self.post(url, data, expect=201)
# other2_django_user has individual permissions to run check mode,
# but not deploy
with self.current_user(self.other2_django_user):
data['name'] = 'job-foo4'
#data['credential'] = self.user_credential.pk
#response = self.post(url, data, expect=201)
data['name'] = 'job-foo5'
data['job_type'] = PERM_INVENTORY_DEPLOY
response = self.post(url, data, expect=403)
# nobody user can't even run check mode
with self.current_user(self.nobody_django_user):
data['name'] = 'job-foo5'
data['job_type'] = PERM_INVENTORY_CHECK
response = self.post(url, data, expect=403)
data['job_type'] = PERM_INVENTORY_DEPLOY
response = self.post(url, data, expect=403)
def test_job_template_detail(self):
return # FIXME
# verify we can also get the job template record
got = self.get(url, expect=200, auth=self.get_other2_credentials())
self.failUnlessEqual(got['url'], '/api/v1/job_templates/6/')
# TODO: add more tests that show
# the method used to START a JobTemplate follow the exact same permissions as those to create it ...
# and that jobs come back nicely serialized with related resources and so on ...
# that we can drill all the way down and can get at host failure lists, etc ...
class JobTest(BaseJobTest):
def setUp(self):
super(JobTest, self).setUp()
def test_mainline(self):
return # FIXME
# job templates
data = self.get('/api/v1/job_templates/', expect=401)
data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials())